Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17
Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Computer Security is an important topic E-commerce blossoms Internet works its way every nook All lies a common enemy — bad software
Information Networking Security and Assurance Lab National Chung Cheng University It’s All about the Software Software no longer supports offices and home entertainment The biggest problem in computer security It is the software! You may have the world’s best firewall, but… Malicious hackers not create security holes, they exploit them
Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Hackers Originally positive meaning Sprang from MIT during the late 1960s People solving tricky problems through programming Software engineer — MacGyver Most people Locksmiths are burglars?
Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Cracker In the mid 1980s, hacker coined the term cracker A cracker is someone who breaks software for nefarious ends
Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Attacker Hacker, fuzzy feelings Malicious hacker, attacker, or bad guy
Information Networking Security and Assurance Lab National Chung Cheng University Who is the Bad Guy? What hackers do? If break into, they should notify the author of the software Bay guy Little or no programming ability Downloading, building and running programs Hackers call it script kiddie Who wrote the programs Hacker malicious intent full disclosure
Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Popular sources for vulnerability information Bugtraq CERT advisories RISKS Digest
Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information Bugtraq administered by securityfocus.com An discussion list SNR on Bugtraq is low Full disclosure Encourage vendors to fix problems more quickly
Information Networking Security and Assurance Lab National Chung Cheng University
Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information CERT Advisories a federally funded research and development center Studies Internet security vulnerabilities Provides incident response services Publishes a variety of security alerts Not publicizing an attack until patched availabilities Only release advisories for significant problems
Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information RISKS Digest A mailing list Most Java security attacks first appeared here comp.risks
Information Networking Security and Assurance Lab National Chung Cheng University Technical Trends Affecting Software Security Computer networks becoming ubiquitous more systems to attack, more attacks, and greater risks from poor software security practice the size and complexity of information systems and their corresponding programs C or C++ not protect against buffer overflow improper configuration
Information Networking Security and Assurance Lab National Chung Cheng University Technical Trends Affecting Software Security systems becoming extensible hard to prevent malicious code from slipping in the plug-in architecture of Web browsers Word processors clients Spreadsheets
Information Networking Security and Assurance Lab National Chung Cheng University The ‘ilities What Is Security? To enforcing a policy that describes rules for accessing resources Well-defined policy
Information Networking Security and Assurance Lab National Chung Cheng University The ‘ilities Isn’t That Just Reliability? Comparing reliability with security Reliability problems considered DoS problems
Information Networking Security and Assurance Lab National Chung Cheng University Penetrate and Patch Is Bad Vendors paid little attention to security Problems to the penetrate-and-patch approach Developers can only patch problems that they know about. Attackers may find problems that they never report to developers. Patches are rushed out as a result of market pressures on vendors, and often introduce new problems of their own to a system. Patches often only fix the symptom of a problem, and do nothing to address the underlying cause. Patches often go unapplied, as system administrators tend to be overworked, and often do not wish to make changes to a system that “works”. As we discussed above, system administrators are generally not security professionals.
Information Networking Security and Assurance Lab National Chung Cheng University Penetrate and Patch Is Bad
Information Networking Security and Assurance Lab National Chung Cheng University On Art and Engineering Software engineering goes through … “Internet time phenomenon” These days, Internet years rival dog years in shortness of duration. Specification poorly written An implementation problem or a specification problem?
Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Prevention Traceability and Auditing Monitoring Privacy and Confidentiality Multilevel Security Anonymity Authentication Integrity
Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Prevention An ounce of prevention worth a pound of punishment Internet time: the enemy of software security Affects the propagation of attacks Zero day Prevention more important than ever
Information Networking Security and Assurance Lab National Chung Cheng University Zero day
Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Traceability and Auditing No 100% security The keys to recovering For forensics Detect, dissect, and demonstrate an attack Monitoring Real-time auditing IDS Tripwires
Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Privacy and Confidentiality They are deeply intertwined Three groups: individuals, business, and government Lots of reasons for software to keep secrets and to ensure privacy A program is running can pry out secret a piece of software may be trying to hide
Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Multilevel Security From unclassified -> Top Secret Employees, business partners and others Anonymity A double-edge sword cookies
Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Privacy and Confidentiality Three groups: individuals, business, and government Lots of reasons for software to keep secrets and to ensure privacy A program is running can pry out secret a piece of software may be trying to hide
Information Networking Security and Assurance Lab National Chung Cheng University Authentication Big three security goals Who, when, and how Nowadays, physical presence not enough Authentication on the Web SSL — to whom are you connected? Security Goals
Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Integrity Staying the same? Stock prices as a example
Information Networking Security and Assurance Lab National Chung Cheng University Software Project Goals Functionality To solve a problem Usability Affects reliability Efficiency Security comes with significant overhead Time-to-market Internet time happens Simplicity Good for both software and security
Information Networking Security and Assurance Lab National Chung Cheng University Conclusion Computer security is a vast topic The root of most security problems is software